This document provides configuration guidance for users of Cisco IOS® SSL VPN. This feature is designed to terminate SSL VPN connections on Cisco IOS SSL VPN-capable routers (1800, 2800, 3700, 3800, 7200, and 7301). SSL VPN is comparable to and complements the popular IP Security (IPsec) remote-access VPN.
The testing was performed at the NSITE lab in Research Triangle Park, North Carolina (RTP) on the devices defined above. The objective of the testing was to configure and test the uses of WebVPN contexts, and the policy groups. Basically, we will look at how the policy group is used and set up in the context. We will also look at how each setup is used from the end-user perspective.
This document discusses some of the configuration concepts and usage. The policy group is the template of parameters an end-user SSL VPN session will embody during session establishment. The enforcement of policy is an important part of any SSL VPN service.
Note: All Cisco IOS SSL VPN/WebVPN features are included in a single, cost-effective license that would be purchased separately. You can purchase the feature license in packs of 10, 25, or 100 simultaneous users directly from the Cisco.com configuration tool. If you already have a router, use the following SKUs to order the license: FL-WEBVPN-10-K9=, FL-WEBVPN-25-K9=, FL-WEBVPN-100-K9=. Check the data sheet to find the maximum supported users for your platform.
This configuration guide is intended for customers and partners working to provide configuration guidelines and best practices for smaller SSL VPN deployments.
3. Network Topology
Figure 1 shows a Cisco IOS SSL VPN topology that uses redundant AAA servers.
Figure 1. Basic Cisco IOS SSL VPN Topology with AAA Server
4. Basic Configurations
4.1 Configuration Overview
This document only considers the configuration of the SSL VPN policy groups, and how these components work with the contexts. In Figure 2, you can see how the gateways, contexts, and policy groups are related. You can also see that the context is the main focus for the user sessions. The gateway is just the destination IP endpoint for the user session, and the context is where the policy group is defined and applied to the user session. The policy group determines the parameters of the user session, and how the session will behave.
Figure 2. Cisco IOS SSL VPN Configuration Map
4.2 Policy Groups
The policy group is where the administrator can specify the SSL VPN user session parameters and set up the appearance of the login/portal page. Its scope is limited for use within a given context. The policies can be used to specify the common session parameters for a group of users. Typically, the administrator will set up multiple policy groups; however, only one policy can be applied as default.
In Clientless mode the portal, including the toolbars and links, is set up under the policy. In Tunnel mode, the administrator can set up the tunnel mode capabilities, and specify the SSL VPN Client user parameters.
4.2.1 Multiple Policy Groups
It is common to have multiple groups of users; not every user will have the same needs, or permissions to resources on the VPN. For each group of users, you may want to define a unique policy group.
Since you can only define one default policy group, there needs to be a way to dynamically assign a user to any group. RADIUS attributes are used to do this. During authentication, the RADIUS server can push down the webvpn:user-vpn-group attribute (Appendix A), which selects one of the configured policy groups. If the policy group name does not exist, or this attribute is not pushed down for the authenticated user, the default policy group will be used if configured. So, it is possible to only allow policy group assignment using RADIUS attributes.
Note: Policy groups can either be applied to a user session using the `default-group-policy' command or can be applied to a user session through the RADIUS attribute webvpn:user-vpn-group (Appendix A).
4.2.2 Default Policy Group
The `default-group-policy' command is used to apply a policy to any user that logs in, and is not assigned a policy through RADIUS. Only one policy group can be configured as default under the context using the default-group-policy <name> command.
There are a few reasons to set up one policy group as the default:
1. If the context has only one policy group, and does not use RADUIS authentication and attributes, the default policy group command is the only way to apply a policy.
2. If the context does use RADIUS authentication, and the webvpn:user-vpn-group attribute does not match any of the configured policies, the default policy will be applied.
3. It can be used as a "catch-all", where most of the remote users will fall into the policy but only special cases need to be handled through the RADIUS attribute.
webvpn context vpn1
title "SSLVPN Cisco"
logo file flash:/nsitelogo.gif
ssl authenticate verify all
policy group aswan
svc address-pool "ssl_addr_pool1"
policy group eng
svc address-pool "ssl_addr_pool1"
gateway ssl-gw1 domain cisco
5. SSL VPN Session Establishment
5.1 End-to-End User Data Flow
Figure 3 shows the sequence of events that take place when a user establishes an SSL VPN session to the IOS SSL VPN router.
Figure 3. End-to-End SSL VPN
Figure 3 shows how the end-to-end SSL VPN is established. This basically applies to all SSL VPN modes.
1. The end user initiates the SSL VPN connection to the WebVPN gateway. This can be a DNS name or IP address. Depending on the method being used to log into the gateway, the user will have to enter the username and password.
2. The context a user is attempting to connect to is identified by the URL or login information. Now the user must be authenticated under the context they belong to.
3. The secure gateway must determine if it will let this user into the WebVPN context, so it will send the username and password to the AAA server. The method of AAA does not matter, just so authentication can be done.
4. The AAA server authenticates the user and it will indicate this to the context. It may also push down any RADIUS attributes for that user. The WebVPN context will build a user session under the context, and apply the policy group information and RADIUS attributes. Now the workflow changes depending on the policy group parameters applied to the user session.
• If the user is using Clientless mode, which is the default mode for a context, the process is complete. The WebVPN portal will now be displayed to the end user in the Web browser. The user will have the specified access to the VPN.
• If the user is going to do Tunnel mode, using function svc-enabled or svc-required in the group policy or RADIUS attributes, the process to push down the SSL VPN Client will happen next. This will mean that the SSL VPN Client once installed on the client PC will establish a new SSL session to the context, and the original context will be removed. Furthermore, it will alter the PC routing table to do the specified tunnel function defined in the policy.
5. Now that the user session is established to the WebVPN secure gateway, the backend interfaces handle the access to the inside network.
Once a user is authenticated under a given context, the user session is established. This user session will embody the parameters specified globally in the context, the group policy, and any RADIUS attributes pushed down during authentication for that user.
Note: RADIUS attributes pushed from the AAA server for a user session will override the equivalent configured values. This allows the group policy to apply the entire default configuration for a group of users, and the RADIUS attributes will fine-tune the user session.
6. Limitations, Caveats, Integration Issues, and Guidelines